Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-13924

HTTP2 is not working with Oracle JDK8 u261

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Blocker
    • 21.0.0.Final
    • 20.0.0.Final, 20.0.1.Final, 21.0.0.Beta1
    • Security, Web (Undertow)
    • None
    • Hide

      Info about JDK used:

      $ /home/jstourac/jdks/jdk1.8.0_261/bin/java -version
java version "1.8.0_261"
Java(TM) SE Runtime Environment (build 1.8.0_261-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.261-b12, mixed mode)

      Legacy Security Realm

      1. unzip the WildFly
      2. start the server with proper JDK 
        JAVA_HOME=/home/jstourac/jdks/jdk1.8.0_261 ./wildfly-20.0.0.Final/bin/standalone.sh
      3. wait till server boots up and perform an HTTP request (note that curl with HTTP2 support has to be used, otherwise use different client) 
        curl -k https://localhost:8443 -vvv >/dev/null
      4. see that HTTP/1.1 is used only; there is also this message in the output
        • ALPN, server did not agree to a protocol

      Now workaround:

      1. unzip the WildFly
      2. start the server with proper JDK and property from UNDERTOW-1726 
        JAVA_HOME=/home/jstourac/jdks/jdk1.8.0_261 ./wildfly-20.0.0.Final/bin/standalone.sh -Dio.undertow.protocols.alpn.jdk8
      3. wait till server boots up and perform an HTTP request 
        curl -k https://localhost:8443 -vvv >/dev/null
      4. see that HTTP/2 is used successfully now

      Unwrapped Elytron Configuration

      This step needs to be run AFTER the first step so the default self signed certificate is pre-generated.

      Execute the following CLI commands to switch to an Elytron SSLContext:

      /subsystem=elytron/key-store=test:add(relative-to=jboss.server.config.dir, path=application.keystore, credential-reference={clear-text=password})
/subsystem=elytron/key-manager=test:add(key-store=test, credential-reference={clear-text=password})
/subsystem=elytron/server-ssl-context=test:add(key-manager=test)

batch
/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context, value=test)
run-batch

      The same curl command can be used to test the establishment of a HTTPS connection.

      Using the system property -Dio.undertow.protocols.alpn.jdk8 again restores the ability to use ALPN.

      Wrapped Elytron Configuration

      It was always preferred that the Elytron subsystem would wrap the SSLContext to prevent against unintended modification but we had to drop to unwrapping to support the JDK 8 hack needed for ALPN.

      This third test should be executed after the previous test as it is a continuation of the configuration.

      Execute the following CLI to ensure the SSLContext is wrapped:

      /subsystem=elytron/server-ssl-context=test:write-attribute(name=wrap, value=true)

      If the server is restarted with or without the system property ALPN is not available.

      Show
      Info about JDK used: $ /home/jstourac/jdks/jdk1.8.0_261/bin/java -version java version "1.8.0_261" Java(TM) SE Runtime Environment (build 1.8.0_261-b12) Java HotSpot(TM) 64-Bit Server VM (build 25.261-b12, mixed mode) Legacy Security Realm unzip the WildFly start the server with proper JDK JAVA_HOME=/home/jstourac/jdks/jdk1.8.0_261 ./wildfly-20.0.0.Final/bin/standalone.sh wait till server boots up and perform an HTTP request (note that curl with HTTP2 support has to be used, otherwise use different client) curl -k https: //localhost:8443 -vvv >/dev/ null see that HTTP/1.1 is used only; there is also this message in the output ALPN, server did not agree to a protocol Now workaround: unzip the WildFly start the server with proper JDK and property from UNDERTOW-1726 JAVA_HOME=/home/jstourac/jdks/jdk1.8.0_261 ./wildfly-20.0.0.Final/bin/standalone.sh -Dio.undertow.protocols.alpn.jdk8 wait till server boots up and perform an HTTP request curl -k https: //localhost:8443 -vvv >/dev/ null see that HTTP/2 is used successfully now Unwrapped Elytron Configuration This step needs to be run AFTER the first step so the default self signed certificate is pre-generated. Execute the following CLI commands to switch to an Elytron SSLContext: /subsystem=elytron/key-store=test:add(relative-to=jboss.server.config.dir, path=application.keystore, credential-reference={clear-text=password}) /subsystem=elytron/key-manager=test:add(key-store=test, credential-reference={clear-text=password}) /subsystem=elytron/server-ssl-context=test:add(key-manager=test) batch /subsystem=undertow/server= default -server/https-listener=https:undefine-attribute(name=security-realm) /subsystem=undertow/server= default -server/https-listener=https:write-attribute(name=ssl-context, value=test) run-batch The same curl command can be used to test the establishment of a HTTPS connection. Using the system property -Dio.undertow.protocols.alpn.jdk8 again restores the ability to use ALPN. Wrapped Elytron Configuration It was always preferred that the Elytron subsystem would wrap the SSLContext to prevent against unintended modification but we had to drop to unwrapping to support the JDK 8 hack needed for ALPN. This third test should be executed after the previous test as it is a continuation of the configuration. Execute the following CLI to ensure the SSLContext is wrapped: /subsystem=elytron/server-ssl-context=test:write-attribute(name=wrap, value= true ) If the server is restarted with or without the system property ALPN is not available.
    • Undefined
    • ---
    • ---

    Description

      There seems to be some problem with HTTP2 support with new Oracle JDK8 u261 and WildFly since 20.0.0.Final version. When request against server is executed, then HTTP2 is not established and communication remains via HTTP/1.1.

      There is no such issue when I use WildFly 19.0.0.Final. Also, if I switch back to an older Oracle JDK8 u241, there is no such issue even with newer WildFly versions.

      This all seems to be tied with backport of ALPN support into the Oracle JDK8 recently and also work in following issue UNDERTOW-1726.

      There seems to be a workaround available - to define '-Dio.undertow.protocols.alpn.jdk8' during the server startup. With this property configured, the issue seems to disappear (as such, blocker priority of this may be discussed).

      What is the issue here:

      This is a change in default behavior of the server (HTTP2 not working with Oracle JDK8u261+ since WildFly 20.0.0.Final). We should try to resolve this without default behavior change if possible. Only in case there is really no other solution, we need to document such thing.

      Attachments

        Issue Links

          is blocked by

          Release - A container task to coordinate the tasks for a given release. ELY-2027 Release WildFly Elytron 1.13.1.Final

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. WFCORE-5152 Upgrade WildFly Elytron to 1.13.1.Final

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          is caused by

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-1726 Check Java version in the JDK9AlpnProvider

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-20313 (7.3.z) WFLY-13924 - HTTP2 is not working with Oracle JDK8 u261

          • Critical - To be worked on immediately following BLOCKER issues.
          • Verified
          is related to

          Bug - A problem that impairs or prevents the functions of the product. ELY-2026 UnsupportedOperationException in SSLEngine using jdk 251+

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Resolved

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. WFLY-13945 Upgrade WildFly Core to 13.0.1.Final

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          relates to

          Sub-task - The sub-task of the issue UNDERTOW-1778 Http2ClientTestCase fails because HTTP2 is not enabled

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-20279 HTTP2 is not working with Oracle JDK8 u261

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) UNDERTOW-1796 Change the default value of the io.undertow.protocols.alpn.jdk8 to true

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              flaviarnn Flavia Rainone
              jstourac@redhat.com Jan Stourac
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: